From: andrea@cpushare.com
To: Pavel Machek <pavel@ucw.cz>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>,
ajwade@cpe001346162bf9-cm0011ae8cd564.cpe.net.cable.rogers.com,
Lee Revell <rlrevell@joe-job.com>,
"Randy.Dunlap" <rdunlap@xenotime.net>,
Andrew Morton <akpm@osdl.org>,
bunk@stusta.de, linux-kernel@vger.kernel.org, mingo@elte.hu
Subject: Re: [2.6 patch] let CONFIG_SECCOMP default to n
Date: Fri, 14 Jul 2006 02:34:29 +0200 [thread overview]
Message-ID: <20060714003429.GA18774@opteron.random> (raw)
In-Reply-To: <20060713232026.GA6117@elf.ucw.cz>
On Fri, Jul 14, 2006 at 01:20:26AM +0200, Pavel Machek wrote:
> I do not want to enter seccomp flamewar, and that's why I did not
> answer to Ingo.
Ok ;), I didn't imagine this was the reason. So we agree that the risk
introduced by the availability of the TSC is orders of magnitude
higher than whatever network timing attack.
> Strictly speaking, this is wrong. This is like adding noise into the
> room. You have to pick up maximum delay (ammount of noise), and you
> clearly can't override signal that's longer than maximum delay. But
>
> you also can't override signal that's half the maximum delay, given
> that transmitter will retransmit it 4-or-so times. Just average 4
> samples, and your random delays will cancel out.
>
> No, this probably does not apply to seccomp, because we are picking
> unintended noise from affected computer.
Well, perhaps I wasn't clear enough, but I am only talking about
seccomp not some other unrelated and hypothetical network system.
I know a few algorithms are potentially vulnerable to network timing
attacks, the tcp sequence number and urandom comes to mind. urandom is
perhaps the worst of all (which btw, it also gets data from the
tsc). Those issues have absolutely nothing to do with seccomp.
As far as seccomp is concerned the only worry is the demonstration of
the timing side channel that was getting openssl keys by controlling
the host and running openssl commands on the other cpu at his
will. And to do that you need the TSC. Even that is totally vapourware
because the attacked environment was strictly controlled by the
attacker, it's unclear what would happen shall the attacked
environment being mostly random like in real life. Disabling the TSC
has been generally agreed good enough to stop it.
The second one in the priority list are the readonly ptes mapping HPET
on some x86-64 config. The network timing attack to CPUShare is way
over what I could actually worry about.
> OTOH I'm pretty sure I could communicate from seccomp process by
> sending zeros alone, and I cound communicate from another process on
> box running seccomp through your randomizing packetizer to my machine.
You mean you could communicate using some sort of morse-code and you
would use the frequency of the zero to send the messages? That's
certainly possible today (without any randomizer), but the timing will
be measurable through the internet, so you're talking morse-code in
cleartext over the internet. The whole internet will sniff your
message. Furthermore I register all ip and ports for all transactions,
so it's really no different from direct a tcp connection even if you
talk encrypted-more-code over it, you're only wasting some resources.
Also note, there's absolutely no way for you to know for sure who you
are talking with.
So I don't see anything to worry about, feel free to communicate with
the other side through seccomp if you want, I'm certainly not adding a
randomizer to prevent that.
Thanks.
next prev parent reply other threads:[~2006-07-14 0:33 UTC|newest]
Thread overview: 71+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-06-29 19:21 [2.6 patch] let CONFIG_SECCOMP default to n Adrian Bunk
2006-06-30 0:44 ` Lee Revell
2006-06-30 1:07 ` Andrew Morton
2006-06-30 1:40 ` Adrian Bunk
2006-06-30 4:52 ` Andrea Arcangeli
2006-06-30 9:47 ` Ingo Molnar
2006-06-30 14:58 ` andrea
2006-07-11 7:36 ` [patch] " Ingo Molnar
2006-07-11 14:17 ` andrea
2006-07-11 14:32 ` Arjan van de Ven
2006-07-11 15:31 ` andrea
2006-07-11 15:54 ` Arjan van de Ven
2006-07-11 16:13 ` andrea
2006-07-11 16:23 ` Arjan van de Ven
2006-07-11 16:57 ` Alan Cox
2006-07-11 16:25 ` Alan Cox
2006-07-11 16:02 ` Adrian Bunk
2006-07-11 16:16 ` andrea
2006-07-11 16:24 ` Alan Cox
2006-07-12 15:43 ` Andi Kleen
2006-07-12 21:07 ` Ingo Molnar
2006-07-12 22:06 ` Andi Kleen
2006-07-12 22:19 ` Ingo Molnar
2006-07-12 22:33 ` Andi Kleen
2006-07-12 22:49 ` Ingo Molnar
2006-07-13 3:16 ` Andrea Arcangeli
2006-07-13 11:23 ` Jeff Dike
2006-07-13 11:35 ` Ingo Molnar
2006-07-13 3:04 ` Andrea Arcangeli
2006-07-13 3:12 ` Linus Torvalds
2006-07-13 4:40 ` Andrea Arcangeli
2006-07-13 4:51 ` andrea
2006-07-13 5:12 ` Linus Torvalds
2006-07-13 6:22 ` andrea
2006-07-13 1:51 ` Andrew Morton
2006-07-13 2:00 ` Linus Torvalds
2006-07-13 7:44 ` James Bruce
2006-07-13 8:34 ` andrea
2006-07-13 9:18 ` Andrew Morton
2006-07-14 6:09 ` [PATCH] TIF_NOTSC and SECCOMP prctl andrea
2006-07-14 6:27 ` Andrew Morton
2006-07-14 6:33 ` andrea
2006-07-13 12:13 ` [patch] let CONFIG_SECCOMP default to n Andi Kleen
2006-07-12 21:22 ` Ingo Molnar
2006-07-12 22:11 ` Andi Kleen
2006-07-11 15:54 ` Pavel Machek
2006-06-30 12:39 ` [2.6 patch] " Alan Cox
2006-06-30 2:35 ` Randy.Dunlap
2006-06-30 15:03 ` Lee Revell
2006-07-08 9:23 ` Andrea Arcangeli
2006-07-11 1:59 ` Andrew James Wade
2006-07-11 4:16 ` andrea
2006-07-11 20:19 ` Andrew James Wade
2006-07-12 21:05 ` andrea
2006-07-12 22:02 ` Alan Cox
2006-07-12 23:44 ` andrea
2006-07-13 21:29 ` Pavel Machek
2006-07-13 23:11 ` andrea
2006-07-13 23:20 ` Pavel Machek
2006-07-14 0:34 ` andrea [this message]
2006-07-15 2:55 ` Valdis.Kletnieks
2006-07-16 0:51 ` andrea
2006-07-16 1:54 ` Pavel Machek
2006-07-16 15:36 ` andrea
2006-07-13 2:56 ` Andrew James Wade
2006-07-12 21:13 ` Ingo Molnar
2006-07-13 1:16 ` andrea
2006-07-13 1:37 ` Andrew James Wade
-- strict thread matches above, loose matches on Subject: below --
2006-06-26 16:26 Adrian Bunk
2006-04-27 20:33 Adrian Bunk
2006-04-18 22:07 Adrian Bunk
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060714003429.GA18774@opteron.random \
--to=andrea@cpushare.com \
--cc=ajwade@cpe001346162bf9-cm0011ae8cd564.cpe.net.cable.rogers.com \
--cc=akpm@osdl.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=bunk@stusta.de \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=pavel@ucw.cz \
--cc=rdunlap@xenotime.net \
--cc=rlrevell@joe-job.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox